Vintela's VAS (now Quest) v2.6 suffers from major propogation issues. We bought VAS to meet a SOX requirement on our Solaris/Linux systems that any user disabled from AD would be disabled on Unix systems in 72 hours. About 50-70% of our systems using VAS took longer than 72hrs for the account changes to propogate to them. We were forced to manually flush VAS ever 8 hours.

The 3.02 version of VAS, which was supposed to solve the propogation issue resulted in a 60-90 second delay in logging in to the system and delays in lookups of VAS controled users. Things like ps, finger and sudo hang for seconds. This turned out to be a cache problem.

We ended up moving to OpenLDAP and generic LDAP authentication from our Unix hosts except that our LDAP servers forward requests for the user's password to our AD servers. This enabled us to "lock" accounts when NT users expire, handle legacy issue where NT usernames don't match Unix logins and maintain Unix security...

VAS required us to give our Windows admins and helpdesk folks the ability to create root accounts on any Unix system and to reset our Unix admin's login passwords. Combind with sudo, this (again) means root on any Unix system. We prevent this is LDAP by not forwarding password requests for privledged Unix users.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1563/636#636